Method for analysis of code-reuse attacks
https://doi.org/10.15514/ISPRAS-2018-30(5)-2
Abstract
Providing security for computer programs is one of the paramount tasks nowadays. Failures in operation of program software can lead to serious consequences and exploitation of vulnerabilities can inflict immense harm. Large corporations pay particular attention to the analysis of computer security incidents. Code-reuse attacks based on return-oriented programming are gaining more and more popularity each year and can bypass even modern operating system protections. Unlike common shellcode, where instructions are placed consequently in memory, ROP chain contains of several small instruction blocks (gadgets) and uses stack to chain them together, which makes analysis of ROP exploits more difficult. The main goal of this work is to simplify reverse engineering of ROP exploits. In this paper I propose the method for analysis of code-reuse attacks, which allows one to split chain into gadgets, restore the semantics of each particular gadget, and restore prototypes and parameters values of system calls and functions called during the execution of ROP chain. Parametrized types define gadget semantics. Each gadget type is defined by a postcondition (boolean predicate) that must always be true after executing the gadget. The proposed method was implemented as a program tool and tested on real ROP exploits found on the internet.
About the Authors
A. V. Vishnyakov
Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
A. R. Nurmukhametov
Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
Sh. F. Kurmangaleev
Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
S. S. Gaisaryan
Institute for System Programming of the Russian Academy of Sciences; Lomonosov Moscow State University; Moscow Institute of Physics and Technology (State University); National Research University Higher School of Economics (HSE)
Russian Federation
Russian Federation
References
1. Common Vulnerabilities and Exposures (CVE). Режим доступа: https://cve.mitre.org, дата обращения 10.11.2008.
2. Статистика уязвимостей (CVE) по годам. Режим доступа: https://www.cvedetails.com/browse-by-date.php, дата обращения 10.11.2008.
3. CWE-121: Stack-based Buffer Overflow. Режим доступа: https://cwe.mitre.org/data/definitions/121.html, дата обращения 10.11.2008.
4. Shacham H. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proc. of the 14th ACM Conference on Computer and Communications Security, CCS’07, 2007, pp. 552–561.
5. Schwartz E.J, Avgerinos T., Brumley D. Q: Exploit Hardening Made Easy. In Proc. of the 20th USENIX Conference on Security, SEC’11, 2011, p. 25.
6. Jager I., Brumley D. Efficient Directionless Weakest Preconditions. Technical Report CMU-CyLab-10-002, 2010.
7. Lu K., Zou D., Wen W., Gao D. deRop: Removing Return-oriented Programming from Malware. In Proc. of the 27th Annual Computer Security Applications Conference, ACSAC’11, 2011, pp. 363–372.
8. Graziano M., Balzarotti D., Zidouemba A. ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks. In Proc. of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS’16, 2016, pp. 47–58.
9. Roemer R., Buchanan E., Shacham H., Savage S. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security, vol. 15, no. 1, 2012, pp. 2:1–2:34.
10. Инструмент IDA Pro. Режим доступа: https://www.hex-rays.com/products/ida/, дата обращения 10.11.2008.
11. Nethercote N., Seward J. How to Shadow Every Byte of Memory Used by a Program. In Proc. of the 3rd International Conference on Virtual Execution Environments, VEE’07, 2007, pp. 65–74.
12. Moser A., Kruegel C., Kirda E. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of the 2007 IEEE Symposium on Security and Privacy, SP’07, 2007, pp. 231–245.
13. Vishnyakov A.V. Classification of ROP gadgets. Trudy ISP RAN/Proc. ISP RAS, vol. 28, issue 6, 2016, pp. 27–36 (in Russian). DOI: 10.15514/ISPRAS-2016-28(6)-2
14. VirtualProtect function (Windows). https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx.
15. The Linux man-pages project. Режим доступа: https://www.kernel.org/doc/man-pages/.
16. API Monitor: Spy on API Calls and COM Interfaces. Режим доступа: http://www.rohitab.com/apimonitor, дата обращения 10.11.2008.
17. Padaryan V.A., Soloviev M.A., Kononov A.I. Modeling operational semantics of machine instructions. Trudy ISP RAN/Proc. ISP RAS, 2010, vol. 19, pp. 165–186 (in Russian).
18. Metasploit Framework. Режим доступа: https://github.com/rapid7/metasploit-framework, дата обращения 10.11.2008.
19. Exploit Database. Режим доступа: https://www.exploit-db.com, дата обращения 10.11.2008.
20. snapshot.debian.org. Режим доступа: http://snapshot.debian.org, дата обращения 10.11.2008.
Review
For citations:
Vishnyakov A.V., Nurmukhametov A.R., Kurmangaleev Sh.F., Gaisaryan S.S. Method for analysis of code-reuse attacks. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2018;30(5):31-54. (In Russ.) https://doi.org/10.15514/ISPRAS-2018-30(5)-2
Email this article 